Fri, Dec 10, 2010

Protecting Web Login Data

Many websites, like Facebook, Twitter or Gmail, require a login and password. After you type that password, the website assigns your web browser a cookie, which represents your identity on that site while you are logged in. If someone else can intercept your cookie, they can do anything on that website that you can.

Unfortunately, not all websites that use cookies in this way also use encryption (such as SSL/HTTPS) to protect your cookie from being intercepted as it is transmitted. You can tell if a particular web site uses encryption, by checking to see that the URLs used always start with https://.

If the website is not using encryption, anyone with the right software may be able to intercept your cookie and use it to impersonate you. One example of a software program that can do this is Firesheep, a plugin for the Firefox web browser. Firesheep makes it very easy to capture any visible cookies on a network, without any sign to the user that this is happening, and to use those cookies to impersonate someone on a website. Amy Gahran of CNN wrote an article about her experience using Firesheep on a coffee-shop's wireless network.

To protect yourself from this sort of attack, it is important to choose secure access to websites whenever available. The HTTPS Everywhere plugin for firefox makes this easy for many common sites: if the site offers both http and https access, HTTPS Everywhere will direct your firefox web browser to use HTTPS.

Another way to protect yourself is to use a Virtual Private Network (VPN). Any CSLab user can request access to the CSLab VPN, which will encrypt all your network traffic and tunnel it to the CSLab network, from which it will then be forwarded on to its destination. The University of Toronto also has a VPN service, which works similarly. Note, however, that if you use a VPN, your network traffic will be routed through the university, so please do not do anything that you would not do when connected to the university's networks.

Finally, please use general good sense when using online websites. For example, when you are finished using a website, log out. Be especially vigilant when using a public network (such as a WIFI hotspot or an Internet Cafe). Watch for signs that your social networking and other web accounts have been used by someone else, and change your password (using HTTPS of course) if you think it has been.

/advice     permanent link

Alternatives to Adobe Acrobat Reader
Adobe Acrobat Reader is not the only software available to view PDFs. When a flaw is reported in Acrobat Reader, it may be possible to protect oneself against it by using another software package to view PDFs. Alternatives to Acrobat Reader for Windows systems include Foxit, Cabaret Stage, Xpdf, PDF-XChange Viewer, and GSview. A list of PDF software is maintained at Wikipedia.

/advice     permanent link

Defending against SSH password guessing attacks
If you run an SSH server on your computer so that you can log into it from outside, please make sure that all your accounts, particularly system ones like "root", have strong, hard-to-guess passwords, not short passwords or passwords based on dictionary words or names. Increasingly, many compromised machines on the internet are being used to try to connect to any SSH service they can find, using guessed logins and passwords. If you have SSH running on your machine, make sure all your passwords are hard to guess.

/advice     permanent link

Autorun/Autoplay
Autorun/Autoplay is a feature of Microsoft Windows that allows software on removable media (such as flash drives or memory cards) to run automatically. Some worms/viruses, such as Conficker, use Autorun/Autoplay to propagate from one machine to another. It is safest to disable Autorun/Autoplay entirely on Windows computers. To disable Autorun/Autoplay, follow the instructions at http://www.us-cert.gov/cas/techalerts/TA09-020A.html. Microsoft has admitted that their original instructions do not fully disable Autorun/Autoplay, and have provided updates at http://support.microsoft.com/kb/953252. The loss of the autorun/autoplay feature will mean that software will no longer run automatically when you insert digital media. Most often, this means that software will not automatically install when you insert the installation CD or DVD, and you will have to click the drive icon of the removable device and then double-click on the installer icon (usually called "setup"). However, music and video CDs and DVDs will continue to play automatically.

/advice     permanent link

Be Aware of "Phishing" Emails
There has been a rash of "spear phishing" attacks on campus. These are emails targetted at specific people or groups that attempt to convince them to execute a malicious attachment, click on a malicious link, or divulge personal information (e.g. by emailing one's login and password to a particular address). These "spear phishing" emails are crafted to appear to come from trusted university sources, such as the campus help desk.

Please be aware that no university help desk or tech support group will send you an unsolicited message asking you to email a password or execute an attached program. If you get such a request, it is likely a forgery. For more information on the recent attacks, see http://www.news.utoronto.ca/campus-news/u-of-t-computer-staff-warn-of-phishing-scams.html

/advice     permanent link

Malicious Email and Web Files Exploiting Microsoft Products
Since before the end of 2006, there have been a number of unpatched vulnerabilities in Microsoft products, some of them quite serious, that remain expoitable by email and/or the web. Many of these vulnerabilities are being actively exploited. A summary of these vulnerabilities is maintained by SANS Internet Storm Center (isc.sans.org) at http://isc.sans.org/diary.html?storyid=1940

Some general recommendations for protecting oneself from malicious emails and web pages are as follows. Distrust Microsoft Office (Word, Excel, Powerpoint) email attachments that have not been solicited, even from people one knows (senders are easily forged). Read email in plain text wherever possible. Examine URLs in email messages for plausibility, and cut and paste them into one's web browser rather than merely clicking on them. If at all possible, avoid using Microsoft Outlook or Outlook Express for email, and Microsoft Internet Explorer as one's default web browser: use Internet Explorer only for trusted web pages that require it. Never browse the web or read email as an administrator; create and use a "limited user" for this so that any malicious command that may be executed will not have full access to the machine.

Unfortunately, following these recommendations will not provide complete protection. Only Microsoft can fix the flaws that are being exploited, and until they do, all users of the relevant products remain vulnerable. However, these may help reduce the risk.

/advice     permanent link